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[57] ABSTRACT 

A method of writing information securely in ta^partable- 

ponent. According to the invention, information is written in 
at least two stages on at least two distinct sites, with 
information depending on the chosen second site being 
written in a first step at the first site, and with information 
necessary for operation of medium being written in a second 
step at the second site. Application to protecting portable 
media for electronic transactions against theft. 

9 Claims, 1 Drawing Sheet 
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METHOD OF WRITING INFORMATION According to the present invention, the solution to the 

SECURELY IN A PORTABLE MEDIUM technical problem posed consists in that said information is 

written in at least two stages on at least two distinct sites, 
FIELD OF THE INVENTION with information depending on the chosen second site being 

Tne present invention relates to a tnethod=Df-writing^ writtcn " ! first ste P at th / fil f si *: ™* Motion 
mformation-sccuid^^ for operation of said medium being wntten in a 

Vrovided= witn-TfiTmware electronic component. ste P atjheje^ndsite. 

Aparticularly advantage application of the invention lies . Ttefc^ma^^ 
in the field of securing portable electronic transaction media * te j. ^djhe.second-s_ite-may bethe or^ratorzche_nt : site^or a 
against theft, in particular during transport between two distribution site. 

preparation sites. Tn e term "ooexation . oX the,.medium^ means that the 

medium is in a conclition~to access goods or services. 
BACKGROUND OF THE INVENTION ^ it ^ be understood that if port able media are 

Numerous electronic transactions systems are known that 15 stolen from the first site, e.g. the site of manufacture, or 
make use of portable information media The. best known while in transit to the second site, the site of the operator, 
comprise payment systems based on memory cards. Other then the stolen media cannot be used and are not negotiable 
systems use electronic keys. When appropriately since they are impossible to ready for use because the 
programmed, such portable information media give their mformattorrrc^^^ 

holders access to goods or services provided by an operator, 2 o w Otten~therein, 

such as a pay-phone, electricity, or television. It can also be added that any possibility of dishonest use 

At present, portable electronic transaction media are is exdudedsinc^ 
manufactured in very large quantities at centralized produc- oLUae^pSga^^ 

tion sites, and then they are delivered ready for use to an information that depeno^Jhe^hpAe^n.second -site-and-toat 

operator or to a distribution center which then passes them 25 c makesarr^sSibile-to write j^Mormation necessary for the 
on to carriers. Naturally, in the event of theft, said media can operation^oFthe-receivecl media. 

be sold beyond the control of the operator. In a preferred implementation of the present invention, 

Various means of providing protection against this risk said information depending on the cho^seconcksite-com- 
have been conceived, such as physical protection during pr^s ; a4rar^ort : k^ 

transport, which nevertheless turns out to be insufficient 30 in^^^tronic^omrwnent, 

since it is expensive, inconvenient, and does not always To have access to the component and write the informa- 
provide a genuine guarantee. lion necessary for operation of the medium therein, the 

Identifying stolen media by means of a stop list assumes OEgrateanHhe*6c^ 
that reader devices have the capacity to process long lists, keyahaLudl^ 

and often that is not the case. 35 The invention also provides for said information depend- 
Finally, transporting media in small batches does indeed ing on the chosen second site to comprise a ^codeddentify ing / 
limit the risk, but it makes costs and deadlines unacceptable ^e-second-sitezand-^^ J* ( 

for large volumes. ^PggjS Ll ==a— 8 7 ^ 

Also, for portable information media provided with a 40 The a Jdressee operator on the second site receiving media 
firmware electronic component, such as prepaid phone as delivered by the manufacturer from the first site can thus 
cards, a security technique is known whereby a transport check that it is indeed the intended media that has been 
code programmed by the manufacturer of the firmware delivered. Also, since the wrtogjsjrreversible, jiyen^ 
electronic component makes it possible to ensure that only legitimate^ code 

the manufacturer of media for whom the component is 45 cannot-make^ise^me^ia4^ 
intended will be able to use it. hoDestly-or-in-error^ 

To extend this service to transport between the manufac- BRIEF DESCRIPTION OF THE DRAWING 
hirer of the media and the operator-client, it would suffice if 

the manufacturer did no programming, leaving that to the The following description given with reference to the 

operator-client. However, such a system would suffer from 50 accompanying drawing and by way of non-limiting example 

the major drawback that the transport code could not be makes it easy to understand what the invention consists in 

given to the operator for reasons of confidentiality unless the and how it can be performed. 

media manufacturer were to provide components having FIG. 1 is a summary table showing the various steps of 

different codes as a function of different clients. That solu- writing information securely in a portable information 

tion would lead to very expensive and difficult logistic 55 medium in application of the method of the invention, 

constraints. MORE DETAILED DESCRIPTION 

OBJECTS AND SUMMARY OF THE M caQ be ^ in the table of h me process of 

INVENTION writing information in a portable medium, such as a memory 

The technical problem to be solved by the present inven- 60 card, fitted with a firmware electronic component, begins 

tion is to propose a method of writing information securely with the manufacturer of the electronic component itself, 

in a portable information medium provided with a firmware Thczman^actur ej-writes-a-c^ 

electronic component, which method makes it possible, in a may : ^-pro£ramjne 4~in-in'eversible-m arinej^ which-code-i s 

manner that is very simple and cheap, to obtain a high level charac teristic-of-the~co mr^ 

of protection against dishonest acts that might occur 65 cwlejwJikJH^ch^ 

between manufacture of the media and reception thereof by media-to-w hpjnrthe-<x^ the 

the operator. electronic component includes a "transport code" function, 
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then the comt>oacDt«mai iufacturcr J ,atsQ_\vrites_in w sc crct Finally, the user programs counters that define the func- 

maiuief«a«tfansport*keyekiK3wi^ tional capability of the medium, for example the financial 

ifacturei** capacity of a prepaid phone card. These counters may be 

Information ca^written^^^ T^Toi "f"* ^ ^ ^ * ^ 

enfcwaysW * on &* ^ 

In one implementation, writing is performed in a zone of L A method of writmg information securely in a portable 

the component that is subsequently disconnected from the information medium fitted with a firmware electronic 

write circuits, cg£mmS% Q *&& s& t component, wherein said information is written in at least 

In another implementation, this information is written in 1Q t wo stages on at least two distinct sites, with information 

a zone that can be written and read but not erased. Under depending on the chosen second site being written in a first 

such circumstances, codes are selected in such a manner that s tep at the first site, and with information necessary for 

it is necessary to erase at least one bit in order to change operation of said medium being written in a second step at 

code. the second site; 

On receiving the component, and merely by reading the 15 wherein the information necessary for operation of said 

zone Zl, the manufacturer of portable media can verify the portable medium comprises counters defining the 

origin of the component and verify that the component has operational capacity of the medium and written in the 

indeed been delivered to the intended addressee. electronic component; and 

Thereafter, in order to be able, in turn, to write informa- wherein said information depending on the chosen second 

tion in the component the media manufacturer must present 20 site comprises a transport key specific to the second site 

the transport key that has been allocated thereto. and written in said electronic component, and wherein 

Thus, while making the portable medium, the manufac- said counters are written during the second step to 

hirer can write information that depends on the user, i.e. replace the transport key specific to the second site. 

firstly in.the.zone Zl anuden^c^tiontco detspe'dficitoitho> 2. A method according to claim 1, wherein said mforma- 

operator-user oFuie^upport, and secondly a second transport 25 tion depending on the chosen second site comprises a 

key likewise specific to the user and which, for example, transport key specific to the second site and written in said 

maylfl^ia^e^accoTn^^ electronic component. 

„. „ iL f _ r.. 4 . i j* • 3. A method according to claim 2, wherein said transport 

Finally, the manufacturer of the portable medium writes in , . , . . & _ A t ' . t r * 

iL m • r *■ *u * • a * *u ♦ ui- key is written during the first step as a replacement for or in 

the zone Zl information that is specific to the portable *. fi *i - c \ ^ c * 

1£ . • t **<5 ** „u u* u 30 addition to a first transport key specific to the first site, 

medium itself, such as an identification number, which . . , . . * . - - , - c 

, , * t . . * c #u a -c -a 4. A method according to claim 1, wherem said informa- 

number can be printed on the body of the card if said . . .7. * a 

. r j tt,' • j_ , ta „ tion depending on the choice of second site comprises an 

medium is a memory card. This provides additional protec- ., & , . , , . .„ • ■ l. 

. 1 1 , Ct . 4 . . r *j „ j- u ♦ identification code of the second site written in irreversible 

tion against theft since the numbers of said media can be put . , 

on a sto list manner in the electronic component. 

" 35 5. A method according to claim 1, wherein information 

The portable medium is then delivered to the user quite spedfic tQ said pQrtable medium is wriUen ^ j^^k 

securely. Since it is not in a condition to be used, it is of no manner m the electronic comp0 nent. 

financial value. Even if it is stolen, no dishonest information 6 A method according t0 daira 5> wherein said Mrial 

can be written therein since access to the component number fe a|sQ printed Qn the programmable medium, 

requires knowledge of the second transport key. 4Q ? A method according t0 claim ly wherein information 

When the user receives the portable medium from the necessary for the operation of said portable medium com- 

mjstomjnanufacturer, the identification code written-in^ie prises at least one authentication value relying on secret 

izo iieLZllcjUilbe.r^ information unknown to the first site, 

been delivered to the intended addressee. Then, after pro- 8, \ method according to claim 7, wherein information 

viding the second transport key, the user can write in a zone 45 specific to said portable medium is written in irreversible 

72 of the c^mp£nen^siwh = info^ation as -is required to manner in the electronic component, and wherein said 

enajble^the^me^m'toH^pejat f 1 " ~ information necessary for the operation of the portable 

This information comprises at least an identification medium comprises at least one authentication value com- 
value, e.g. a certificate or a diversified key computed on the puted on the basis of said information specific to the medium 
basis of said information specific to the medium plus secret 50 plus information unknown to the first site, 
information unknown to the manufacturer of the medium, 9. A method according to claim 8, wherein said authen- 
such as a key for encrypting the serial number of the tication value is not readable and is used via a "challenge- 
medium. Preferably, said authentication value is not read- response" mechanism, 
able and is used via a conventional "challenge-response" 

mechanism. ***** 
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